Ok, so basically a blogger who had one of these cams noticed that the password didn't actually protect anything if you had the right url, and that it was pretty easy to find the url required to view the feed. This was on the 10th of January - trendnet said they became aware on the 12th. They tried to identify susceptible models and email customers, but apparently knew they couldn't identify everyone, and didn't mention that anywhere on their website, and instead tried to quietly fix the problem (at the time of the article's writing, they still didn't mention it).

I think this is pretty scandalous - they should have warned people that this could be a problem when they became aware, instead of sweeping it under the rug and letting a bunch of people get spied on (there were websites that let you find feeds, some of them complete with a google-maps location).

“When we remember we are all mad, the mysteries disappear and life stands explained.” - Mark Twain

I gotta wonder at the difference in sweeping things under the rug and not making something widely known. The BBC article is actually pretty terrible in this regard. It doesn't say which models are affected so people don't know to turn theirs off, but it informs the public that there are sites out there you can search to find addresses to spy on people. To me it seems to exacerbate the issue, especially considering they've said they're fixing it this week. Why post this article before the fix is in place and give people more time to spy on others?

Discovering it on Jan 10 and only fixing it now does seem a bit long to me, but I am not familiar with how their software works. Them contacting registered users was good, and I don't see a good method of getting this information out there without further compromising user's security. I suppose it also depends on how many people had these models. If its a large number than making it public is good since its likely a large number will stop using their device compared to the people who want to hack into the feeds. But if its a small number of people, it may be WORSE to make it public knowledge when you'll have a larger number of people who now START spying compared to those who see the news and turn their cameras off.

They are priding themselves on privacy, and so should let people know when they're compromised. They knew that about 5% of people registered with email addresses - they should have found some way of making it better known that this would happen. I get that it could be a risk between telling even more people about the problem (but it looks like a large number of people knew already) who would be able to abuse that, but the fact that these people were having their privacy already invaded should come first - they should have issued something similar to a product recall to let people know that they could be affected.

“When we remember we are all mad, the mysteries disappear and life stands explained.” - Mark Twain

Angua wrote:They are priding themselves on privacy, and so should let people know when they're compromised. They knew that about 5% of people registered with email addresses - they should have found some way of making it better known that this would happen. I get that it could be a risk between telling even more people about the problem (but it looks like a large number of people knew already) who would be able to abuse that, but the fact that these people were having their privacy already invaded should come first - they should have issued something similar to a product recall to let people know that they could be affected.

I'm still of the opinion that informing people publicly of the issue would have been a bad idea considering the number of affected people compared to the number of people who would decide to use that information negatively. Now, recalling the products though, that would have been a good thing to do. Wouldn't have exposed much added risk and would have protected people's privacy. Clearly companies don't like to recall things and here they clearly put their image ahead of their customers which I agree is an issue.

Hiding problems and hoping no one will notice is one of the most despicable business practices and it seems to be SOP nearly everywhere. They should have informed every customer by email and a message on their website, then disabled the web streaming of all affected models with the option for the user to reenable after clicking a box saying they are aware of the security flaw.

That .... actually makes this even worse. These cameras are advertising themselves as safe and private, and this is a well-known thing that happens? Do the people buying these cameras know about it? If not, then this really should be an issue being reported about.

“When we remember we are all mad, the mysteries disappear and life stands explained.” - Mark Twain

TheAmazingRando wrote:Hasn't this been a recurring flaw in consumer security cameras? I remember 7 or 8 years ago you could access thousands of them just by googling the proper terms.

You still can... http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html . These are more cases where people intentionally made their cam public, or didn't properly set up the privacy settings.